DNS Performance versus Security

Slow DNS lookups can result in slow application performance. To enhance the response time, DNS uses two approaches: parallel requests and connectionlesspackets. When a DNS system generates a request, it sends the query to a group of servers. The requests are sent in parallel and the requester can accept an answer from any of the servers. Because different servers respond at different rates, the fastest response is used for name resolution. Unfortunately, this also provides attackers with a window of opportunity. Because any server may respond to a request, an attacker may also respond.

The DNS protocol may operate over TCP or UDP. Being a connectionoriented service, TCP is generally slower than UDP because it must negotiate each connection. Because UDP has no negotiation, most DNS queries use UDP. Unfortunately, this also simplifies attacks-an attacker only needs to generate a UDP packet and not hijack a TCP connection.

DNS Poisoning

DNS trust-based attacks use a similar technique to ARP poisoning and IP hijacking through ICMP redirection. In each of these cases, an attacker provides false information. Whereas ARP poisoning is limited to the local network, DNS poisoning can occur anywhere along the network. Although IP hijacking can be prevented through ICMP filtering, DNS replies cannot be filtered. Even restricting DNS replies based on the server's network address does not provide any additional security. Because DNS uses UDP, an attacker can forge the sender's network address just as easily as forging the DNS session identifier.